Valentin Schwarze via Mailman-Users writes: > I am the administrator of some mailman lists of the student > self-administration of our university. We happend to have some spam > issues on our mailman lists. These spammers were able to send > emails on our lists through mail spoofing (only faking the From: > field in the header is sufficient to get accepted). With a faked > sender email adress, which was in accept_these_nonmembers of the > list, they were to send spam mails on the lists.
It is helpful if you tell us more about the mail flows you *want* to go to the lists. For example, perhaps these addresses are in accept_these_nonmembers because the lists are one-way, going from a small number of allowed posters (eg, committee chairpersons) to the subscribers (eg, committee members). In that case it would be possible to give the allowed posters a password, which is included a line of the form "Approved: PASSWORD", either in the message header, or as the very first line of the message, which Mailman will remove before distributing. (The message header method is preferred, because many clients produce HTML which makes it unreliable to remove the Approved line. This isn't a problem in the header. But many users may not know how to add such a line to their header.) This method can be very effective, depending on the list configutation and the sophistication of the allowed posters. If the list configuration is different, there may be other ways. The only generic way to prevent spam is full-on content and source filtering based on known features of spam and known spam sources. Host-based authentication (SPF and DKIM) may be a solution depending on your users' habits, but as others have pointed out, these are best done in the MTA before passing the post to Mailman. Steve ------------------------------------------------------ Mailman-Users mailing list [email protected] https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org
